In this section, we list several observations about the Flame near-collision blocks that are relevant to our analysis.
Observation 3.5. The first and third near-collision blocks of the Flame collision attack use the message block differences from the first differential path of Wang et al.’s identical-prefix attack,
δm4 = δm14 = 231, δm11 = 215 and δmi = 0 for i 6= 4,11,14. The second and fourth block use the differences from the second differential path of the identical prefix attack, δm4 =δm14 = 231,
δm11=−215 and δmi= 0 for i6= 4,11,14.
21
Observation 3.6. For steps i= 25, . . . ,32, all four near-collision blocks have the trivial working state differences δQi = 0. For steps i= 35, . . . ,59, they have the trivial working state differences
δQi= 231, like the differential paths used in the attack by Wang et al.
Observation 3.7. The working state differences∆Q6are maximal in all four near-collision blocks, i.e., for every i= 0, . . . ,31, we have ∆Q6[i]6= 0. For t= 6, . . . ,32, the first and third differential
path have the same value for ∆Qt. Likewise, the second and fourth paths have the same value for
∆Qi with only one exception: In the second block, we have∆Q22[31] =−1 and in the fourth path, we have ∆Q22[31] = 1. However, this still gives us the same value forδQ22. In contrast, the values
of δQi for i <6 are different in all four paths.
Observation 3.8. In the first and third near-collision block, the values of ∆F9, . . . ,∆F35 are
identical. In the second and fourth block, the values for ∆F11, ∆F12, ∆F13, ∆F15, . . . ,∆F22 and ∆F24, . . . ,∆F35 are equal. Also, δF14 and δF23 are equal in the second and fourth block, and the values for ∆F23 only differ in bit position 31 where the sign does not matter modulo 232.
Proof. In the first and third differential paths, all the bitconditions on working states Q9, . . . , Q32 are identical. This implies that ∆F11, . . . ,∆F32 are identical for the first and third block. To see that the values for ∆F9 and ∆F10are identical, first recall thatqi[j],qi−1[j],qi−2[j]6∈ {+,-}implies ∆Fi[j] = 0. Thus, it remains to inspect the positions where one of the relevant bitconditions is +
or -. At all these places, the bitconditions in the first and third path are the same. Finally, the bitconditionsq35[31]q34[31]q33[31] in those two paths cause the same ∆F35[31].
In the second and fourth path, the bitconditions onQ9,Q10,Q11,Q14, . . . , Q21andQ23, . . . , Q31 are identical. This shows that the values for ∆F11, ∆F16, . . . ,∆F21and ∆F25, . . . ,∆F31are identical in those two blocks. Also, ∆F12 and ∆F13 have the same values in both blocks because there are no ‘+’- or ‘-’-bitconditions involved. The values for ∆F14 are different, but the values for δF14 are still the same in the two blocks. The values for ∆F15 are the same. The bitconditions on steps 20,21,22 still produce the same ∆F22. The values for ∆F23 are different but due to 231 ≡ −231 mod 232, we have the same values for δF23. The values for ∆F24 are equal again.
Observation 3.9. The probabilities for the correct rotations of δTt for 11 ≤ t ≤ 61 in all four blocks, as given by the formulas in Lemma 1.6, are optimal, i.e., the rotations in the observed path have the highest probability among all alternatives. The conditional estimates are quite similar to the computed probabilities at these steps.
However, on steps with many bitconditions, the formulas for the probabilities in Lemma1.6are less meaningful and the first 8 steps of the Flame differential paths have more bitconditions than the later steps. The conditional estimates and the computed probabilities may differ drastically, as can be seen, for example, in the second and third block at step 4 which has a computed probability of roughly 0.1 while the conditional estimate is 1.0. Thus, we should also take a closer look at the conditional estimates:
Observation 3.10. The following table summarizes theestimated conditional probabilitiesfor the rotations in steps 0 to 10 of all four near-collision blocks. For the specified ranges for the probability
p, it lists for each near-collision blocks the steps where the rotation probability falls in the given range, followed by the total number of such steps.
Probability p 1st block 2nd block 3rd block 4th block Sum 0.05< p <0.06 8 8 2 0.10≤p <0.15 10 10 2 0.15≤p <0.20 2,8 2 0.25≤p <0.50 1,2 2 3 0.50≤p <0.75 1,9 5,8,9 9 1,6,7,9 10 0.75≤p <1.00 0,3,10 1 2,10 6 p= 1.00 0,3, . . . ,7 4,6,7 0,3, . . . ,7 0,3,4,5 19 Thus, we can see that the probabilities are mostly rather large.
These observations do not match the attack by Stevens et al. The observations support Hy- pothesis 3.1 as follows. They show that the four blocks all have a common structure: Up to and including step 5, the differencesδQtvary among all four blocks. Then, there is a maximal difference
in step 6. After that, the values for ∆Qt and ∆Ft are mostly identical in the first and third and
in the second and fourth blocks, leading up to long sequences of trivial steps. The final five steps again differ greatly among all four blocks. We thus conclude that, similar to the attack by Stevens et al., a lower part based on the input IHVs and an upper part were generated separately and then combined.
The conclusion that the upper differential paths are generated by “brute force” while the lower paths are not is supported by Observations 3.9 and 3.10. It is noteworthy that in all the steps from 11 to 61, all four blocks use the highest-probability rotation ofδTt asδRt. Of course, in the
trivial steps, there is only one possible rotation. However, the non-trivial steps 11 up to 25 use the highest probabilities while the steps before sometimes use rotations with smaller probability. As already said, the formulas for the probabilities in Lemma 1.6 are quite inaccurate when there are many bitconditions. The conditional rotation probabilities are mostly quite high, but a few steps have low rotation probabilities. This indicates a brute force approach: For random working states Q1, . . . , Q10 and Q01, . . . , Q010, we would expect to see mostly high-probability rotations, but also some low-probability ones. When extending a differential path deliberately, on the other hand, one would choose high-probability rotations.
In the following subsection, we take a closer look at the steps in the differential paths where we believe that the connection between the upper and lower part occurred. Our findings corroborate the second part of Hypothesis 3.2. We believe that the connection takes place over working states Q5, Q6, Q7 and Q8 because of Observations 3.7 and 3.8: ∆Q6, ∆Q7 and ∆Q8 appear to belong to the lower differential paths, but ∆F7 and ∆F8 vary in all four differential paths, so they donot belong to the lower paths. This makes it seem likely that ∆F7 and ∆F8 are varied to achieve the appropriate values for ∆Q7, ∆Q8 and ∆Q9. To achieve maximal control over ∆F7, we need to include stepsQ5 andQ6 in the connection step. Having maximal differences in ∆Q6 aids in having many possible alternatives forδF6 available.